This topic describes how to configure a whitelist for an RDS MySQL instance. After you create an RDS instance, you must configure a whitelist for it to allow external devices to access the instance.

Configuring a whitelist does not affect the normal running of your RDS instance, but only makes your RDS instance more secure. We recommend that you update the whitelists for your RDS instance on a regular basis.

Note The default whitelist contains only the default IP address 127.0.0.1. Before you add new IP addresses to the whitelist, no devices can access the RDS instance.

Precautions

  • The default whitelist can only be edited or cleared. It cannot be deleted.
  • If you log on to DMS but your IP address has not been added to the whitelist, DMS prompts you to add the IP address and automatically generates a whitelist containing your IP address.

Procedure

  1. Log on to the RDS console.
  2. In the upper-left corner of the page, select the region where the instance is located.Select a region
  3. Find the instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab page, click Edit corresponding to the default whitelist.
    Note You can click Create Whitelist to create a whitelist.
    Create Whitelist
  6. In the displayed Edit Whitelist dialog box, specify the IP addresses or CIDR blocks used to access the instance, and then click OK.
    • If you specify the CIDR block 10.10.10.0/24, any IP addresses in the 10.10.10.X format are allowed to access the RDS instance.
    • To add multiple IP addresses or CIDR blocks, separate each entry with a comma (without spaces), for example, 192.168.0.1,172.16.213.9.
    • After you click Add Internal IP Addresses of ECS Instances, the IP addresses of all the ECS instances under your Alibaba Cloud account are displayed. You can quickly add internal IP addresses to the whitelist.
    Note After you add an IP address or CIDR block to the default whitelist, the default address 127.0.0.1 is automatically deleted.
    Edit Whitelist

Common errors

  • The default address 127.0.0.1 in Data Security > Whitelist Settings indicates that no device is allowed to access the RDS instance. Therefore, you must add IP addresses of devices to the whitelist to allow access to the instance.
  • The IP address in the whitelist is set to 0.0.0.0, but the correct format is 0.0.0.0/0.
    Note 0.0.0.0/0 indicates that all devices are allowed to access the RDS instance. Exercise caution when using this IP address.
  • The public IP address that you add to the whitelist may not be the real egress IP address. The reasons are as follows:
    • The public IP address is not fixed and may dynamically change.
    • The tools or websites used to query the public IP addresses provide wrong IP addresses.

APIs

API Description
DescribeDBInstanceIPArrayList Used to view the IP address whitelist of an RDS instance.
ModifySecurityIps Used to modify the IP address whitelist of an RDS instance.